Pages

Thursday, March 5, 2009

Changing the Default Users and Computers Containers in AD

In Active Directory, the default container for user objects is the Users container and the default container for computer objects is the Computers container.

If you create user or computer objects programmatically and do not specify a target OU, the objects will be created in their default container. Also, whenever you join a new computer to the domain the computer object will always be created in the default Computers container, unless you pre-stage the computer object in an OU.

It's important to note that the Computers and Users containers are just that, containers. They are not OUs. Consequently, you cannot apply Group Policy objects directly to these containers. These containers will, however, inherit GPOs from parent objects, such as the Default Domain Policy.

A lot of my customers have large OU structures where user and computer objects are always placed in specific OUs so that the objects get the correct GPOs. Typically, the default Users and Computers containers are empty for these customers. Even so, user or computer objects will sometimes be created in the default containers for various reasons. This can cause problems for these objects because GPOs are not applied correctly.

Here's how to change the default container that Active Directory will use for new user and computer objects:

  • Log into a Domain Controller (Windows Server 2003, 2008 or 2008 R2) as a Domain Admin
  • Open a CMD prompt
  • To change the default container for user objects, enter:

ReDirUsr Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created user objects.

For example:

ReDirUsr "OU=Managed Users,DC=mydomain,DC=com"

  • To change the default container for computer objects, enter:

ReDirCmp Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created computer objects.

For example:

ReDirCmp "OU=Managed Computers,DC=mydomain,DC=com"

Please note that the domain functional level must be at least Windows Server 2003 for these commands to work.

13 comments:

  1. Hi,
    I'm using win server 2003 and my domain name (Pharmaplast.local) and the Container name (Pharmaplast computer) I'm trying to change the Default Computers Containers exactly as it shown above like this
    ReDirCmp "OU=Pharmaplast Computer,DC=Pharmaplast,DC=local" but I got this
    [error, unable to modify the wellknownobjectsattribute. verify that the domain functional level of the domain is at least windows server 2003:
    unwilling to perform
    redirection was not successful]
    and I've tried to write without the Quotation then I got this
    [ReDirCmp Container-DN
    where Container-DN is the distinguished name of the container that will become the default location for newly created computer objects.
    Note: the domain functional level must be at least Windows Server 2003]
    so please I need to know why this command didn't work with me

    ReplyDelete
  2. Well, it sounds like your domain functional level is less than "Windows Server 2003". Check it in AD Users and Computers. Right-click the top-level domain (Pharmaplast.local) and select Raise Domain Functional Level to see what level you're at and to optionally raise the DFL.

    ReplyDelete
  3. thanks very much I've raised it and changed the container

    I have another question
    I want to copy or clone me domain controller with everything (computers,users,policies) to another pc so I can test it
    how can I do that?
    and does the new Pc has to be with the exact hardware like the main one?

    ReplyDelete
  4. How can i check the current default OU for users and computer accounts.

    ReplyDelete
  5. Ok, I found out how to check the status of OU if its a default or not.
    This is not an easy way if you have a huge tree structure, but this is what i got.
    we need to use LDP utility.
    Connect to a domain controller using LDP.
    Bind a Domain Admin user account.
    From View | Tree (Ctrl+T) enter the DN of OU.. and when the query is compiled check the Attribute "isCriticalSystemObject" as TRUE.
    If this Attribute is not present then its not the default OU for users or Computer accounts.

    ReplyDelete
  6. Nice information provided here which is very useful to everyone...I am not a huge fan of this side, there do seem to be a lot these days...thanks for posting...

    ReplyDelete
  7. Good find on isCriticalSystemObject (I hope you're right). I wrote this script to search AD for containers and OUs that match this criteria.
    http://social.technet.microsoft.com/Forums/en-CA/winserverDS/thread/2eedda4a-9eb7-498f-ac58-d17b9f099ea9

    ReplyDelete
  8. Is this something I only have to run one time on any dc in my domain ? or something I have to run with each new computer that is joined to the domain ?

    ReplyDelete
    Replies
    1. You make the change on one DC and it will replicate out to the others.

      Delete
  9. How do I undo it if the proverbial Stuff hist the fan?

    ReplyDelete
    Replies
    1. I am trying to figure this out as well.. best i have found is to create another OU and make it default with no settings attached

      Delete
  10. I've just ran into the same issue.

    Error, unable to modify the wellKnownObjects attribute. Verify that
    the domain functional level of the domain is at least Windows Server 2003:
    Referral
    Redirection was NOT successful.

    My domain is 2003 functional level, but I do have 2 2008r2 DCs (prepping for a new functional level soon). Shouldn't I still be able to run the command and have it work?

    ReplyDelete
  11. It should work. Make sure both your domain and forest functional levels are Windows 2003 and that you have sufficient rights.

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.